research-article

“I’m Surprised So Much Is Connected”

Authors:

Sasa Radomirovic,

David BasinAuthors Info & Claims

CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems

Article No.: 620, Pages 1 - 13

https://doi.org/10.1145/3491102.3502125

Published: 29 April 2022 Publication History

Abstract

A person’s online security setup is tied to the security of their individual accounts. Some accounts are particularly critical as they provide access to other online services. For example, an email account can be used for external account recovery or to assist with single-sign-on. The connections between accounts are specific to each user’s setup and create unique security problems that are difficult to remedy by following generic security advice. In this paper, we develop a method to gather and analyze users’ online accounts systematically. We demonstrate this in a user study with 20 participants and obtain detailed insights on how users’ personal setup choices and behaviors affect their overall account security. We discuss concrete usability and privacy concerns that prevented our participants from improving their account security. Based on our findings, we provide recommendations for service providers and security experts to increase the adoption of security best practices.

Supplementary Material

Supplemental Materials (3491102.3502125-supplemental-materials.zip)

Download
6.99 MB

MP4 File (3491102.3502125-talk-video.mp4)

Talk Video

Download
161.32 MB

References

[1]

2021. Make your account more secure. https://support.google.com/accounts/answer/46526. Accessed: 2021-09-06.

[2]

2021. Supplementary material: Account graphs, coded transcripts, and front-end tool. https:doi.org/10.1145/3491102.3502125.

Digital Library

[3]

Yasemin Acar, Christian Stransky, Dominik Wermke, Charles Weir, Michelle L. Mazurek, and Sascha Fahl. 2017. Developers Need Support, Too: A Survey of Security Advice for Software Developers. In 2017 IEEE Cybersecurity Development (SecDev). 22–26. https://doi.org/10.1109/SecDev.2017.17

[4]

Yusuf Albayram, Mohammad Maifi Hasan Khan, and Michael Fagan. 2017. A Study on Designing Video Tutorials for Promoting Security Features: A Case Study in the Context of Two-Factor Authentication (2FA). International Journal of Human–Computer Interaction 33, 11(2017), 927–942. https://doi.org/10.1080/10447318.2017.1306765

[5]

Nathanael Andrews. 2018. Can I Get Your Digits: Illegal Acquisition of Wireless Phone Numbers for Sim-Swap Attacks and Wireless Provider Liability. Nw. J. Tech. & Intell. Prop. 16 (2018), 79.

[6]

Wei Bai, Ciara Lynton, Charalampos Papamanthou, and Michelle L. Mazurek. 2018. Understanding User Tradeoffs for Search in Encrypted Communication. In 2018 IEEE European Symposium on Security and Privacy (EuroS P). 258–272. https://doi.org/10.1109/EuroSP.2018.00026

[7]

Karoline Busse, Julia Schäfer, and Matthew Smith. 2019. Replication: no one can hack my mind revisiting a study on expert and non-expert security practices and advice. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019).

[8]

Ashley A. Cain, Morgan E. Edwards, and Jeremiah D. Still. 2018. An exploratory study of cyber hygiene behaviors and knowledge. Journal of Information Security and Applications 42 (2018), 36–45. https://doi.org/10.1016/j.jisa.2018.08.002

[9]

Marta E. Cecchinato, Abigail Sellen, Milad Shokouhi, and Gavin Smyth. 2016. Finding Email in a Multi-Account, Multi-Device World. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (San Jose, California, USA) (CHI ’16). Association for Computing Machinery, New York, NY, USA, 1200–1210. https://doi.org/10.1145/2858036.2858473

Digital Library

[10]

Sarah P Church, Michael Dunn, and Linda S Prokopy. 2019. Benefits to qualitative data quality with multiple coders: Two case studies in multi-coder data analysis. Journal of Rural Social Sciences 34, 1 (2019), 2.

[11]

Michael Crabb, Melvin Abraham, and Saša Radomirović. 2021. “I’m Doing the Best I Can.”: Understanding Technology Literate Older Adults’ Account Management Strategies. In 11th International Workshop in Socio-Technical Aspects in Security and Trust. 11th International Workshop on Socio-Technical Aspects in Security.

[12]

Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. 2014. The tangled web of password reuse. In NDSS, Vol. 14. 23–26.

[13]

Sanchari Das, Andrew Dingman, and L Jean Camp. 2018. Why Johnny doesn’t use two factor a two-phase usability study of the FIDO U2F security key. In International Conference on Financial Cryptography. Springer, 160–179.

Digital Library

[14]

Emiliano De Cristofaro, Honglu Du, Julien Freudiger, and Greg Norcie. 2014. A Comparative Usability Study of Two-Factor Authentication. NDSS Workshop on Usable Security (USEC 2014) (2014).

[15]

Michael Fagan, Yusuf Albayram, Mohammad Maifi Hasan Khan, and Ross Buck. 2017. An investigation into users’ considerations towards using password managers. Human-centric Computing and Information Sciences 7, 1 (2017), 1–20.

Digital Library

[16]

Michael Fagan and Mohammad Maifi Hasan Khan. 2016. Why do they do what they do?: A study of what motivates users to (not) follow computer security advice. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). 59–75.

Digital Library

[17]

Uwe Flick. 2013. The SAGE handbook of qualitative data analysis. Sage.

[18]

Dinei Florêncio, Cormac Herley, and Paul C Van Oorschot. 2014. Password portfolios and the finite-effort user: Sustainably managing large numbers of accounts. In 23rd USENIX Security Symposium (USENIX Security 14). 575–590.

[19]

Shirley Gaw and Edward W Felten. 2006. Password management strategies for online accounts. In Proceedings of the second symposium on Usable privacy and security. 44–55.

Digital Library

[20]

Joseph Gibaldi, Walter S Achtert, and Modern Language Association of America. 2003. MLA handbook for writers of research papers. Modern Language Association of America New York.

[21]

Graham R Gibbs. 2018. Analyzing qualitative data. Vol. 6. Sage.

[22]

Sven Hammann, Saša Radomirović, Ralf Sasse, and David Basin. 2019. User Account Access Graphs. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (London, United Kingdom) (CCS ’19). ACM, New York, NY, USA, 1405–1422. https://doi.org/10.1145/3319535.3354193

Digital Library

[23]

Marian Harbach, Emanuel Von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. 2014. It’s a hard lock life: A field study of smartphone (un) locking behavior and risk perception. In 10th Symposium On Usable Privacy and Security ({SOUPS} 2014). 213–230.

[24]

Iulia Ion, Rob Reeder, and Sunny Consolvo. 2015. ”... no one can hack my mind”: Comparing Expert and Non-Expert Security Practices. In Eleventh Symposium On Usable Privacy and Security (SOUPS 2015). 327–346.

[25]

Kevin Lee, Ben Kaiser, Jonathan Mayer, and Arvind Narayanan. 2020. An Empirical Study of Wireless Carrier Authentication for SIM Swaps.

[26]

Sanam Ghorbani Lyastani, Michael Schilling, Sascha Fahl, Michael Backes, and Sven Bugiel. 2018. Better managed than memorized? Studying the Impact of Managers on Password Strength and Reuse. In 27th USENIX Security Symposium.

[27]

Nora McDonald, Sarita Schoenebeck, and Andrea Forte. 2019. Reliability and Inter-Rater Reliability in Qualitative Research: Norms and Guidelines for CSCW and HCI Practice. Proc. ACM Hum.-Comput. Interact. 3, CSCW, Article 72 (Nov. 2019), 23 pages. https://doi.org/10.1145/3359174

Digital Library

[28]

Dennis Mirante and Justin Cappos. 2013. Understanding password database compromises. Dept. of Computer Science and Engineering Polytechnic Inst. of NYU, Tech. Rep. TR-CSE-2013-02 (2013).

[29]

Sarah Pearman, Jeremy Thomas, Pardis Emami Naeini, Hana Habib, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Serge Egelman, and Alain Forget. 2017. Let’s go in for a closer look: Observing passwords in their natural habitat. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 295–310.

Digital Library

[30]

Sarah Pearman, Shikun Aerin Zhang, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2019. Why people (don’t) use password managers effectively. In Fifteenth Symposium On Usable Privacy and Security (SOUPS 2019). 319–338.

[31]

Elissa M. Redmiles, Sean Kross, and Michelle L. Mazurek. 2016. How I Learned to Be Secure: A Census-Representative Survey of Security Advice Sources and Behavior. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (Vienna, Austria) (CCS ’16). Association for Computing Machinery, New York, NY, USA, 666–677. https://doi.org/10.1145/2976749.2978307

Digital Library

[32]

Elissa M Redmiles, Everest Liu, and Michelle L Mazurek. 2017. You Want Me To Do What? A Design Study of Two-Factor Authentication Messages. In Thirteenth Symposium On Usable Privacy and Security (SOUPS 2017).

[33]

Elissa M Redmiles, Amelia R Malone, and Michelle L Mazurek. 2016. I think they’re trying to tell me something: Advice sources and selection for digital security. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 272–288.

[34]

Elissa M. Redmiles, Michelle L. Mazurek, and John P. Dickerson. 2018. Dancing Pigs or Externalities? Measuring the Rationality of Security Decisions. In Proceedings of the 2018 ACM Conference on Economics and Computation (Ithaca, NY, USA) (EC ’18). Association for Computing Machinery, New York, NY, USA, 215–232. https://doi.org/10.1145/3219166.3219185

Digital Library

[35]

Robert W. Reeder, Iulia Ion, and Sunny Consolvo. 2017. 152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users. IEEE Security Privacy 15, 5 (2017), 55–64. https://doi.org/10.1109/MSP.2017.3681050

Digital Library

[36]

Robert W Reeder, Iulia Ion, and Sunny Consolvo. 2017. 152 simple steps to stay safe online: security advice for non-tech-savvy users. IEEE Security & Privacy 15, 5 (2017), 55–64.

Digital Library

[37]

Elizabeth Stobert and Robert Biddle. 2014. The password life cycle: user behaviour in managing passwords. In 10th Symposium On Usable Privacy and Security (SOUPS 2014). 243–255.

[38]

Heather L Stuckey. 2015. The second step in data analysis: Coding qualitative research data. Journal of Social Health and Diabetes 3, 01 (2015), 007–010.

[39]

Viktor Taneski, Marjan Heričko, and Boštjan Brumen. 2014. Password security-No change in 35 years?. In 37th International Convention on Information and Communication Technology, Electronics and Microelectronics. IEEE, 1360–1365.

[40]

David Thomas. 2003. An inductive approach for qualitative analysis. (2003).

[41]

Sarah J Tracy. 2019. Qualitative research methods: Collecting evidence, crafting analysis, communicating impact. John Wiley & Sons, Oxford, UK.

[42]

Yixin Zou, Abraham H Mhaidli, Austin McCall, and Florian Schaub. 2018. ” I’ve Got Nothing to Lose”: Consumers’ Risk Perceptions and Protective Actions after the Equifax Data Breach. In Fourteenth Symposium on Usable Privacy and Security.

Cited By

Pöhn DGruschka NZiegler LBüttner A(2024)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 10-Jan-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103515
Abraham MCrabb MRadomirović S(2021)“I’m Doing the Best I Can.”Socio-Technical Aspects in Security10.1007/978-3-031-10183-0_5(86-107)Online publication date: 8-Oct-2021
https://dl.acm.org/doi/10.1007/978-3-031-10183-0_5

Index Terms

“I’m Surprised So Much Is Connected”
1. Human-centered computing
  1. Human computer interaction (HCI)
    1. HCI design and evaluation methods
      1. User studies
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Social aspects of security and privacy

Recommendations

Secure Connected Objects
Connected Vehicle: Monitor Automotive Embedded Systems via IoT Protocol UI
ICACR 2019: Proceedings of the 2019 3rd International Conference on Automation, Control and Robots

The Internet of Things (IoT) is a network of smart objects which are embedded with sensors, microcontrollers, communication protocols, and software, which helps these smart objects to share or exchange the data remotely. The Machine-to-Machine ...
Too much knowledge? security beliefs and protective behaviors among united states internet users
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and Security

Home computers are frequently the target of malicious attackers because they are usually administered by non-experts. Prior work has found that users who make security decisions about their home computers often possess different mental models of ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems

April 2022

10459 pages

ISBN:9781450391573

DOI:10.1145/3491102

Editors:
Simone Barbosa
PUC-Rio, Brazil
,
Cliff Lampe
University of Michigan, USA
,
Caroline Appert
Université Paris-Saclay, France
,
David A. Shamma
Toyota Research Institute, USA
,
Steven Drucker
Microsoft Research, USA
,
Julie Williamson
University of Glasgow, UK
,
Koji Yatani
University of Tokyo, Japan

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGCHI: ACM Special Interest Group on Computer-Human Interaction

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 April 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

CHI '22

Sponsor:

SIGCHI

CHI '22: CHI Conference on Human Factors in Computing Systems

April 29 - May 5, 2022

LA, New Orleans, USA

Acceptance Rates

Overall Acceptance Rate 6,199 of 26,314 submissions, 24%

Upcoming Conference

CHI '25

Sponsor:
sigchi

CHI Conference on Human Factors in Computing Systems

April 26 - May 1, 2025

Yokohama , Japan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
557
Total Downloads

Downloads (Last 12 months)108
Downloads (Last 6 weeks)10

Reflects downloads up to 29 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pöhn DGruschka NZiegler LBüttner A(2024)A framework for analyzing authentication risks in account networksComputers and Security10.1016/j.cose.2023.103515135:COnline publication date: 10-Jan-2024
https://dl.acm.org/doi/10.1016/j.cose.2023.103515
Abraham MCrabb MRadomirović S(2021)“I’m Doing the Best I Can.”Socio-Technical Aspects in Security10.1007/978-3-031-10183-0_5(86-107)Online publication date: 8-Oct-2021
https://dl.acm.org/doi/10.1007/978-3-031-10183-0_5

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents